W dniu 12 maja firma SAP wydała aktualizacje bezpieczeństwa, które obejmują 18 nowych poprawek w tym 6 jest krytyczna i 4 ma priorytet “wysoki”.
CERT PSE zachęca administratorów do zapoznania się z notami na SAP Security Patch Day i zastosowania niezbędnych aktualizacji.
Pełna lista poprawek:
| Note# | Title | Priority | CVSS |
| 2835979 | [CVE-2020-6262] Code Injection vulnerability in Service Data Download Product – SAP Application Server ABAP, Versions – 2008_1_46C, 2008_1_620, 2008_1_640, 2008_1_700, 2008_1_710, 740 |
Hot News | 9.9 |
| 2622660 | Update to Security Note released on April 2018 Patch Day: Security updates for the browser control Google Chromium delivered with SAP Business Client Product – SAP Business Client, Version – 6.5 |
Hot News | 9.8 |
| 2885244 | [CVE-2020-6242] Missing Authentication check in SAP Business Objects Business Intelligence Platform (Live Data Connect) Product – SAP Business Objects Business Intelligence Platform (Live Data Connect), Versions – 1.0, 2.0, 2.x |
Hot News | 9.8 |
| 2917275 | [CVE-2020-6248] Code injection in SAP Adaptive Server Enterprise (Backup Server) Product – SAP Adaptive Server Enterprise (Backup Server), Version – 16.0 |
Hot News | 9.1 |
| 2863731 | Update to Security Note released on April 2020 Patch Day: [CVE-2020-6219] Deserialization of Untrusted Data in SAP Business Objects Business Intelligence Platform (CR .Net SDK WebForm Viewer) Product – SAP Business Objects Business Intelligence Platform (CrystalReports WebForm Viewer), Versions – 4.1, 4.2 |
Hot News | 9.1 |
| 2917090 | [CVE-2020-6252] Information Disclosure in SAP Adaptive Server Enterprise (Cockpit) Product – SAP Adaptive Server Enterprise (Cockpit), Version – 16.0 |
Hot News | 9 |
| 2916927 | [CVE-2020-6241] SQL Injection vulnerability in SAP Adaptive Server Enterprise Product – SAP Adaptive Server Enterprise, Version – 16.0 |
High | 8.8 |
| 2915585 | [CVE-2020-6243] Code Injection in SAP Adaptive Server Enterprise (XP Server on Windows Platform) Product – SAP Adaptive Server Enterprise (XP Server on Windows Platform), Versions – 15.7, 16.0 |
High | 8 |
| 2908560 | [CVE-2020-6249] SQL Injection vulnerability in SAP Master Data Governance(MDG) Product – SAP Master Data Governance, Versions – S4CORE 101; S4FND 102, 103, 104; SAP_BS_FND 748 |
High | 7.7 |
| 2917273 | [CVE-2020-6253] SQL Injection vulnerability in SAP Adaptive Server Enterprise (Web Services) Product – SAP Adaptive Server Enterprise (Web Services), Versions – 15.7, 16.0 |
High | 7.2 |
| 2911801 | [CVE-2020-6244] Binary planting vulnerability in SAP Business Client Product – SAP Business Client, Version – 7.0 |
Medium | 7 |
| 2917022 | [CVE-2020-6250] Information Disclosure in SAP Adaptive Server Enterprise Product – SAP Adaptive Server Enterprise, Version – 16.0 |
Medium | 6.8 |
| 2828558 | [CVE-2020-6245] Multiple Vulnerabilities in SAP Business Objects Business Intelligence Platform Additional CVEs – CVE-2020-6247, CVE-2020-6251 Product – SAP Business Objects Business Intelligence Platform, Version – 4.2 |
Medium | 6.5 |
| 2920548 | [CVE-2020-6259] Missing authorization check in SAP Adaptive Server Enterprise Product – SAP Adaptive Server Enterprise, Versions – 15.7, 16.0 |
Medium | 6.5 |
| 2913293 | [CVE-2020-6254] Cross-Site Scripting (XSS) vulnerability in SAP Enterprise Threat Detection Product – SAP Enterprise Threat Detection, Versions – 1.0, 2.0 |
Medium | 6.1 |
| 2912747 | [CVE-2020-6256] Missing Authorization check in SAP Master Data Governance Product – SAP Master Data Governance, Versions – 748, 749, 750, 751, 752, 800, 801, 802, 803, 804 |
Medium | 5.4 |
| 2907781 | [CVE-2020-6257] Cross-Site Scripting (XSS) vulnerability in SAP Business Objects Business Intelligence Platform (CMC and BI launchpad) Product – SAP Business Objects Business Intelligence Platform (CMC and BI launchpad), Version – 4.2 |
Medium | 5.4 |
| 2732527 | Update to Security Note released on March 2019 Patch Day: Potential Oracle attack on OPC UA server in SAP Plant Connectivity Product – SAP Plant Connectivity, Versions – 15.1, 15.2, 15.3, 15.4 |
Medium | 5.3 |
| 2856923 | [CVE-2020-6240] Denial of service (DOS) in SAP NetWeaver Application Server ABAP (Web Dynpro ABAP) Product – SAP NetWeaver AS ABAP (Web Dynpro ABAP), Version – SAP_UI 750, 752, 753, 754; SAP_BASIS 700, 710, 730, 731, 804 |
Medium | 5.3 |
| 2735924 | Update to Security Note released on September 2019 Patch Day: [CVE-2019-0352] Improper session management in SAP Business Objects Business Intelligence Platform(CMC) Product – SAP Business Objects Business Intelligence Platform, Versions – before 4.1, 4.2 and 4.3 |
Medium | 4.3 |
| 2915429 | Update 1 to Security Note 2735924 – [CVE-2019-0352] Improper session management in SAP Business Objects Business Intelligence Platform(CMC) Product – SAP Business Objects Business Intelligence Platform, Versions – before 4.1, 4.2 and 4.3 |
Medium | 4.3 |
| 2915429 | [CVE-2020-6258] Missing Authorization check in SAP Identity Management Product – SAP Identity Management, Version – 8.0 |
Medium | 4.3 |
+48 22242 1996
+48 571 207 996
cert@pse.pl 
klucz publiczny